Certificate Policy

CertifiedData.io operates as a certificate authority for AI artifacts. A CertifiedData certificate is a machine-verifiable cryptographic record that proves:

• A specific artifact (identified by SHA-256 hash) was generated synthetically
• Generation occurred at the stated timestamp
• The stated generation algorithm was used
• The certificate was issued by CertifiedData.io (verified by Ed25519 signature)

A certificate does not prove accuracy, usefulness, representativeness, or fitness for any particular purpose of the artifact's contents.

CertifiedData issues certificates for:

• Synthetic datasets — tabular datasets generated by the CertifiedData generation engine (CTGAN, Gaussian, Light, or DP-CTGAN algorithms)
• Marketplace datasets — pre-built certified synthetic datasets distributed through the CertifiedData dataset marketplace

CertifiedData does not currently certify external datasets, model artifacts, or AI outputs not generated by the CertifiedData platform.

A certificate is issued automatically upon successful completion of synthetic dataset generation. The issuance process:

1. The generation engine produces a ZIP artifact containing the CSV dataset and a generation manifest
2. SHA-256 hashes are computed for the ZIP archive and each inner file
3. A certificate payload is constructed with all required fields
4. The payload is canonicalized using RFC 8785 (JSON Canonicalization Scheme)
5. The canonical payload is signed with the active Ed25519 private key
6. The certificate record is persisted to the CertifiedData database and made publicly available

Certificates do not expire. A certificate remains valid as long as:

• The signing key has not been revoked
• The certificate has not been explicitly revoked by CertifiedData

Certificates issued by retired (non-revoked) keys remain fully valid and verifiable.

CertifiedData may revoke a certificate if:

• The certificate was issued due to a system error or fraudulent request
• The signing key used was compromised (key-level revocation affects all certificates signed by that key)
• The underlying artifact is found to contain real (non-synthetic) personal data

Revocation status is published at the public verification endpoint. Revoked certificates return verified: false with reason certificate_revoked.

Relying parties using CertifiedData certificates for compliance, procurement, or governance purposes are responsible for:

• Independently verifying certificates using the public verification endpoint or local verification tools
• Checking certificate revocation status at time of reliance
• Confirming the artifact hash in the certificate matches their copy of the artifact
• Understanding that a certificate proves synthetic origin, not fitness for purpose

CertifiedData certificates are provided as-is. CertifiedData makes no warranty regarding the suitability, accuracy, or completeness of certified datasets for any particular use. Certification proves provenance and synthetic origin — it does not constitute an endorsement of the dataset's contents or fitness for any regulatory, compliance, or operational purpose.

Questions about certificate issuance, revocation requests, or this policy should be directed to [email protected].